ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
sspmod_saml_Auth_Source_SP Class Reference
+ Inheritance diagram for sspmod_saml_Auth_Source_SP:
+ Collaboration diagram for sspmod_saml_Auth_Source_SP:

Public Member Functions

 __construct ($info, $config)
 Constructor for SAML SP authentication source. More...
 
 getMetadataURL ()
 Retrieve the URL to the metadata of this SP. More...
 
 getEntityId ()
 Retrieve the entity id of this SP. More...
 
 getMetadata ()
 Retrieve the metadata of this SP. More...
 
 getIdPMetadata ($entityId)
 Retrieve the metadata of an IdP. More...
 
 sendSAML2AuthnRequest (array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
 Function to actually send the authentication request. More...
 
 startSSO ($idp, array $state)
 Send a SSO request to an IdP. More...
 
 authenticate (&$state)
 Start login. More...
 
 reauthenticate (array &$state)
 Re-authenticate an user. More...
 
 startSLO2 (&$state)
 Start a SAML 2 logout operation. More...
 
 logout (&$state)
 Start logout operation. More...
 
 handleResponse (array $state, $idp, array $attributes)
 Handle a response from a SSO operation. More...
 
 handleLogout ($idpEntityId)
 Handle a logout request from an IdP. More...
 
- Public Member Functions inherited from SimpleSAML_Auth_Source
 __construct ($info, &$config)
 Constructor for an authentication source. More...
 
 getAuthId ()
 Retrieve the ID of this authentication source. More...
 
 authenticate (&$state)
 Process a request. More...
 
 reauthenticate (array &$state)
 Reauthenticate an user. More...
 
 initLogin ($return, $errorURL=null, array $params=array())
 Start authentication. More...
 
 logout (&$state)
 Log out from this authentication source. More...
 

Static Public Member Functions

static askForIdPChange (array &$state)
 Ask the user to log out before being able to log in again with a different identity provider. More...
 
static reauthLogout (array $state)
 Log the user out before logging in again. More...
 
static reauthPostLogin (array $state)
 Complete login operation after re-authenticating the user on another IdP. More...
 
static handleUnsolicitedAuth ($authId, array $state, $redirectTo)
 Handle an unsolicited login operations. More...
 
static onProcessingCompleted (array $authProcState)
 Called when we have completed the procssing chain. More...
 
- Static Public Member Functions inherited from SimpleSAML_Auth_Source
static getSourcesOfType ($type)
 Get sources of a specific type. More...
 
static completeAuth (&$state)
 Complete authentication. More...
 
static loginCompleted ($state)
 Called when a login operation has finished. More...
 
static completeLogout (&$state)
 Complete logout. More...
 
static getById ($authId, $type=null)
 Retrieve authentication source. More...
 
static logoutCallback ($state)
 Called when the authentication source receives an external logout request. More...
 
static getSources ()
 Retrieve list of authentication sources. More...
 

Private Member Functions

 startSSO1 (SimpleSAML_Configuration $idpMetadata, array $state)
 Send a SAML1 SSO request to an IdP. More...
 
 startSSO2 (SimpleSAML_Configuration $idpMetadata, array $state)
 Send a SAML2 SSO request to an IdP. More...
 
 startDisco (array $state)
 Start an IdP discovery service operation. More...
 

Private Attributes

 $entityId
 
 $metadata
 
 $idp
 
 $discoURL
 

Additional Inherited Members

- Protected Member Functions inherited from SimpleSAML_Auth_Source
 addLogoutCallback ($assoc, $state)
 Add a logout callback association. More...
 
 callLogoutCallback ($assoc)
 Call a logout callback based on association. More...
 
- Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static validateSource ($source, $id)
 Make sure that the first element of an auth source is its identifier. More...
 
- Protected Attributes inherited from SimpleSAML_Auth_Source
 $authId
 

Detailed Description

Definition at line 3 of file SP.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_saml_Auth_Source_SP::__construct (   $info,
  $config 
)

Constructor for SAML SP authentication source.

Parameters
array$infoInformation about this authentication source.
array$configConfiguration.

Definition at line 39 of file SP.php.

40 {
41 assert(is_array($info));
42 assert(is_array($config));
43
44 // Call the parent constructor first, as required by the interface
45 parent::__construct($info, $config);
46
47 if (!isset($config['entityID'])) {
48 $config['entityID'] = $this->getMetadataURL();
49 }
50
51 /* For compatibility with code that assumes that $metadata->getString('entityid')
52 * gives the entity id. */
53 $config['entityid'] = $config['entityID'];
54
56 'authsources[' . var_export($this->authId, true) . ']');
57 $this->entityId = $this->metadata->getString('entityID');
58 $this->idp = $this->metadata->getString('idp', null);
59 $this->discoURL = $this->metadata->getString('discoURL', null);
60
61 if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
62 $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
63 }
64 }
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:220
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
getMetadataURL()
Retrieve the URL to the metadata of this SP.
Definition: SP.php:71
$config
Definition: bootstrap.php:15
$info
Definition: index.php:5
Attribute-related utility methods.

References $config, $info, getMetadataURL(), SimpleSAML\Module\getModuleURL(), and SimpleSAML_Configuration\loadFromArray().

+ Here is the call graph for this function:

Member Function Documentation

◆ askForIdPChange()

static sspmod_saml_Auth_Source_SP::askForIdPChange ( array &  $state)
static

Ask the user to log out before being able to log in again with a different identity provider.

Note that this method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP and an IdP at the same time.

This method will never return.

Parameters
array$stateThe state array. The following keys must be defined in the array:
  • 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated the user in the current session.
  • 'saml:sp:AuthId': the identifier of the current authentication source.
  • 'core:IdP': the identifier of the local IdP.
  • 'SPMetadata': an array with the metadata of this local SP.
Exceptions
SimpleSAML_Error_NoPassiveIn case the authentication request was passive.

Definition at line 527 of file SP.php.

528 {
529 assert(array_key_exists('saml:sp:IdPMetadata', $state));
530 assert(array_key_exists('saml:sp:AuthId', $state));
531 assert(array_key_exists('core:IdP', $state));
532 assert(array_key_exists('SPMetadata', $state));
533
534 if (isset($state['isPassive']) && (bool)$state['isPassive']) {
535 // passive request, we cannot authenticate the user
537 \SAML2\Constants::STATUS_REQUESTER,
538 'Reauthentication required'
539 );
540 }
541
542 // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
543 $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
544 $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
545 SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
546 assert(false);
547 }
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:959
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
if(!array_key_exists('StateId', $_REQUEST)) $id
$url

References $id, $state, $url, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by reauthenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ authenticate()

sspmod_saml_Auth_Source_SP::authenticate ( $state)

Start login.

This function saves the information about the login, and redirects to the IdP.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 386 of file SP.php.

387 {
388 assert(is_array($state));
389
390 /* We are going to need the authId in order to retrieve this authentication source later. */
391 $state['saml:sp:AuthId'] = $this->authId;
392
394
395 if (isset($state['saml:idp'])) {
396 $idp = (string)$state['saml:idp'];
397 }
398
399 if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
400 // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
402 $known_idps = $mdh->getList();
403 $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
404
405 if (empty($intersection)) {
406 // all requested IdPs are unknown
408 \SAML2\Constants::STATUS_REQUESTER,
409 'None of the IdPs requested are supported by this proxy.'
410 );
411 }
412
413 if (!is_null($idp) && !in_array($idp, $intersection, true)) {
414 // the IdP is enforced but not in the IDPList
416 \SAML2\Constants::STATUS_REQUESTER,
417 'None of the IdPs requested are available to this proxy.'
418 );
419 }
420
421 if (is_null($idp) && sizeof($intersection) === 1) {
422 // only one IdP requested or valid
423 $idp = current($state['saml:IDPList']);
424 }
425 }
426
427 if ($idp === null) {
428 $this->startDisco($state);
429 assert(false);
430 }
431
432 $this->startSSO($idp, $state);
433 assert(false);
434 }
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
startSSO($idp, array $state)
Send a SSO request to an IdP.
Definition: SP.php:325
startDisco(array $state)
Start an IdP discovery service operation.
Definition: SP.php:350
$mdh

References SimpleSAML_Auth_Source\$authId, $idp, $mdh, $state, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), startDisco(), and startSSO().

+ Here is the call graph for this function:

◆ getEntityId()

sspmod_saml_Auth_Source_SP::getEntityId ( )

Retrieve the entity id of this SP.

Returns
string The entity id of this SP.

Definition at line 81 of file SP.php.

82 {
83 return $this->entityId;
84 }

References $entityId.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SpIsValidAudience\validate().

+ Here is the caller graph for this function:

◆ getIdPMetadata()

sspmod_saml_Auth_Source_SP::getIdPMetadata (   $entityId)

Retrieve the metadata of an IdP.

Parameters
string$entityIdThe entity id of the IdP.
Returns
SimpleSAML_Configuration The metadata of the IdP.

Definition at line 102 of file SP.php.

103 {
104 assert(is_string($entityId));
105
106 if ($this->idp !== null && $this->idp !== $entityId) {
107 throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' .
108 var_export($entityId, true) .
109 ' because it isn\'t a valid IdP for this SP.');
110 }
111
113
114 // First, look in saml20-idp-remote.
115 try {
116 return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
117 } catch (Exception $e) {
118 /* Metadata wasn't found. */
119 SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
120 }
121
122 /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
123 try {
124 return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
125 } catch (Exception $e) {
126 /* Metadata wasn't found. */
127 SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
128 }
129
130 /* Not found. */
131 throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' .
132 var_export($entityId, true));
133 }
static debug($string)
Definition: Logger.php:211

References $entityId, SimpleSAML\Logger\debug(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

Referenced by reauthenticate(), startSLO2(), and startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getMetadata()

sspmod_saml_Auth_Source_SP::getMetadata ( )

Retrieve the metadata of this SP.

Returns
SimpleSAML_Configuration The metadata of this SP.

Definition at line 91 of file SP.php.

92 {
93 return $this->metadata;
94 }

References $metadata.

◆ getMetadataURL()

sspmod_saml_Auth_Source_SP::getMetadataURL ( )

Retrieve the URL to the metadata of this SP.

Returns
string The metadata URL.

Definition at line 71 of file SP.php.

72 {
73 return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
74 }

References SimpleSAML\Module\getModuleURL().

Referenced by __construct().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ handleLogout()

sspmod_saml_Auth_Source_SP::handleLogout (   $idpEntityId)

Handle a logout request from an IdP.

Parameters
string$idpEntityIdThe entity ID of the IdP.

Definition at line 736 of file SP.php.

737 {
738 assert(is_string($idpEntityId));
739
740 /* Call the logout callback we registered in onProcessingCompleted(). */
742 }
callLogoutCallback($assoc)
Call a logout callback based on association.
Definition: Source.php:455
$idpEntityId
Definition: prp.php:12

References $idpEntityId, and SimpleSAML_Auth_Source\callLogoutCallback().

+ Here is the call graph for this function:

◆ handleResponse()

sspmod_saml_Auth_Source_SP::handleResponse ( array  $state,
  $idp,
array  $attributes 
)

Handle a response from a SSO operation.

Parameters
array$stateThe authentication state.
string$idpThe entity id of the IdP.
array$attributesThe attributes.

Definition at line 693 of file SP.php.

694 {
695 assert(is_string($idp));
696 assert(array_key_exists('LogoutState', $state));
697 assert(array_key_exists('saml:logout:Type', $state['LogoutState']));
698
699 $idpMetadata = $this->getIdpMetadata($idp);
700
701 $spMetadataArray = $this->metadata->toArray();
702 $idpMetadataArray = $idpMetadata->toArray();
703
704 /* Save the IdP in the state array. */
705 $state['saml:sp:IdP'] = $idp;
706 $state['PersistentAuthData'][] = 'saml:sp:IdP';
707
708 $authProcState = array(
709 'saml:sp:IdP' => $idp,
710 'saml:sp:State' => $state,
711 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
712
713 'Attributes' => $attributes,
714 'Destination' => $spMetadataArray,
715 'Source' => $idpMetadataArray,
716 );
717
718 if (isset($state['saml:sp:NameID'])) {
719 $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
720 }
721 if (isset($state['saml:sp:SessionIndex'])) {
722 $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
723 }
724
725 $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
726 $pc->processState($authProcState);
727
728 self::onProcessingCompleted($authProcState);
729 }
static onProcessingCompleted(array $authProcState)
Called when we have completed the procssing chain.
Definition: SP.php:774
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
$idpMetadata

References $attributes, $idp, $idpMetadata, $state, and onProcessingCompleted().

+ Here is the call graph for this function:

◆ handleUnsolicitedAuth()

static sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth (   $authId,
array  $state,
  $redirectTo 
)
static

Handle an unsolicited login operations.

This method creates a session from the information received. It will then redirect to the given URL. This is used to handle IdP initiated SSO. This method will never return.

Parameters
string$authIdThe id of the authentication source that received the request.
array$stateA state array.
string$redirectToThe URL we should redirect the user to after updating the session. The function will check if the URL is allowed, so there is no need to manually check the URL on beforehand. Please refer to the 'trusted.url.domains' configuration directive for more information about allowing (or disallowing) URLs.

Definition at line 758 of file SP.php.

759 {
760 assert(is_string($authId));
761 assert(is_string($redirectTo));
762
765
767 }
static redirectUntrustedURL($url, $parameters=array())
This function redirects to the specified URL after performing the appropriate security checks on it.
Definition: HTTP.php:991
static getPersistentAuthData(array $state)
Get the persistent authentication state from the state array.
Definition: State.php:103
static getSessionFromRequest()
Retrieves the current session.
Definition: Session.php:241
$session

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Utils\HTTP\redirectUntrustedURL().

Referenced by SimpleSAML_Auth_Default\handleUnsolicitedAuth(), and onProcessingCompleted().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ logout()

sspmod_saml_Auth_Source_SP::logout ( $state)

Start logout operation.

Parameters
array$stateThe logout state.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 667 of file SP.php.

668 {
669 assert(is_array($state));
670 assert(array_key_exists('saml:logout:Type', $state));
671
672 $logoutType = $state['saml:logout:Type'];
673 switch ($logoutType) {
674 case 'saml1':
675 /* Nothing to do. */
676 return;
677 case 'saml2':
678 $this->startSLO2($state);
679 return;
680 default:
681 /* Should never happen. */
682 assert(false);
683 }
684 }
startSLO2(&$state)
Start a SAML 2 logout operation.
Definition: SP.php:619

References $state, and startSLO2().

+ Here is the call graph for this function:

◆ onProcessingCompleted()

static sspmod_saml_Auth_Source_SP::onProcessingCompleted ( array  $authProcState)
static

Called when we have completed the procssing chain.

Parameters
array$authProcStateThe processing chain state.

Definition at line 774 of file SP.php.

775 {
776 assert(array_key_exists('saml:sp:IdP', $authProcState));
777 assert(array_key_exists('saml:sp:State', $authProcState));
778 assert(array_key_exists('Attributes', $authProcState));
779
780 $idp = $authProcState['saml:sp:IdP'];
781 $state = $authProcState['saml:sp:State'];
782
783 $sourceId = $state['saml:sp:AuthId'];
785 if ($source === null) {
786 throw new Exception('Could not find authentication source with id ' . $sourceId);
787 }
788
789 /* Register a callback that we can call if we receive a logout request from the IdP. */
790 $source->addLogoutCallback($idp, $state);
791
792 $state['Attributes'] = $authProcState['Attributes'];
793
794 if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
795 if (!empty($state['saml:sp:RelayState'])) {
796 $redirectTo = $state['saml:sp:RelayState'];
797 } else {
798 $redirectTo = $source->getMetadata()->getString('RelayState', '/');
799 }
801 }
802
804 }
if(!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) $sourceId
Definition: linkback.php:20
$source
Definition: linkback.php:22
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:340
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:136
static handleUnsolicitedAuth($authId, array $state, $redirectTo)
Handle an unsolicited login operations.
Definition: SP.php:758

References $idp, $source, $sourceId, $state, SimpleSAML_Auth_Source\completeAuth(), SimpleSAML_Auth_Source\getById(), and handleUnsolicitedAuth().

Referenced by handleResponse().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ reauthenticate()

sspmod_saml_Auth_Source_SP::reauthenticate ( array &  $state)

Re-authenticate an user.

This function is called by the IdP to give the authentication source a chance to interact with the user even in the case when the user is already authenticated.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 444 of file SP.php.

445 {
446 assert(is_array($state));
447
449 $data = $session->getAuthState($this->authId);
450 foreach ($data as $k => $v) {
451 $state[$k] = $v;
452 }
453
454 // check if we have an IDPList specified in the request
455 if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
456 !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
457 {
458 /*
459 * The user has an existing, valid session. However, the SP
460 * provided a list of IdPs it accepts for authentication, and
461 * the IdP the existing session is related to is not in that list.
462 *
463 * First, check if we recognize any of the IdPs requested.
464 */
465
467 $known_idps = $mdh->getList();
468 $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
469
470 if (empty($intersection)) {
471 // all requested IdPs are unknown
473 \SAML2\Constants::STATUS_REQUESTER,
474 'None of the IdPs requested are supported by this proxy.'
475 );
476 }
477
478 /*
479 * We have at least one IdP in the IDPList that we recognize, and
480 * it's not the one currently in use. Let's see if this proxy
481 * enforces the use of one single IdP.
482 */
483 if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) {
484 // an IdP is enforced but not requested
486 \SAML2\Constants::STATUS_REQUESTER,
487 'None of the IdPs requested are available to this proxy.'
488 );
489 }
490
491 /*
492 * We need to inform the user, and ask whether we should logout before
493 * starting the authentication process again with a different IdP, or
494 * cancel the current SSO attempt.
495 */
497 "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
498 "provided by the Service Provider '${state['core:SP']}'."
499 );
500
501 $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
502 $state['saml:sp:AuthId'] = $this->authId;
504 }
505 }
static warning($string)
Definition: Logger.php:177
static askForIdPChange(array &$state)
Ask the user to log out before being able to log in again with a different identity provider.
Definition: SP.php:527
getIdPMetadata($entityId)
Retrieve the metadata of an IdP.
Definition: SP.php:102
$data
Definition: bench.php:6

References SimpleSAML_Auth_Source\$authId, $data, $mdh, $session, $state, askForIdPChange(), getIdPMetadata(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Logger\warning().

+ Here is the call graph for this function:

◆ reauthLogout()

static sspmod_saml_Auth_Source_SP::reauthLogout ( array  $state)
static

Log the user out before logging in again.

This method will never return.

Parameters
array$stateThe state array.

Definition at line 556 of file SP.php.

557 {
558 SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
559
560 if (isset($state['Responder'])) {
561 $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
562 }
563 $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
564
566 $idp->handleLogoutRequest($state, null);
567 assert(false);
568 }
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:145

References $idp, $state, SimpleSAML\Logger\debug(), and SimpleSAML_IdP\getByState().

+ Here is the call graph for this function:

◆ reauthPostLogin()

static sspmod_saml_Auth_Source_SP::reauthPostLogin ( array  $state)
static

Complete login operation after re-authenticating the user on another IdP.

Parameters
array$stateThe authentication state.

Definition at line 575 of file SP.php.

576 {
577 assert(isset($state['ReturnCallback']));
578
579 // Update session state
581 $authId = $state['saml:sp:AuthId'];
583
584 // resume the login process
585 call_user_func($state['ReturnCallback'], $state);
586 assert(false);
587 }

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), and SimpleSAML_Session\getSessionFromRequest().

+ Here is the call graph for this function:

◆ sendSAML2AuthnRequest()

sspmod_saml_Auth_Source_SP::sendSAML2AuthnRequest ( array &  $state,
\SAML2\Binding  $binding,
\SAML2\AuthnRequest  $ar 
)

Function to actually send the authentication request.

This function does not return.

Parameters
array&$stateThe state array.
\SAML2\Binding$bindingThe binding.
\SAML2\AuthnRequest$arThe authentication request.

Definition at line 313 of file SP.php.

314 {
315 $binding->send($ar);
316 assert(false);
317 }
$binding

References $binding.

Referenced by startSSO2().

+ Here is the caller graph for this function:

◆ startDisco()

sspmod_saml_Auth_Source_SP::startDisco ( array  $state)
private

Start an IdP discovery service operation.

Parameters
array$stateThe state array.

Definition at line 350 of file SP.php.

351 {
353
355 if ($discoURL === null) {
356 /* Fallback to internal discovery service. */
357 $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
358 }
359
360 $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
361
362 $params = array(
363 'entityID' => $this->entityId,
364 'return' => $returnTo,
365 'returnIDParam' => 'idpentityid'
366 );
367
368 if(isset($state['saml:IDPList'])) {
369 $params['IDPList'] = $state['saml:IDPList'];
370 }
371
372 if (isset($state['isPassive']) && $state['isPassive']) {
373 $params['isPassive'] = 'true';
374 }
375
377 }
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16

References $discoURL, $id, PHPMailer\PHPMailer\$params, $returnTo, $state, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSLO2()

sspmod_saml_Auth_Source_SP::startSLO2 ( $state)

Start a SAML 2 logout operation.

Parameters
array$stateThe logout state.

Definition at line 619 of file SP.php.

620 {
621 assert(is_array($state));
622 assert(array_key_exists('saml:logout:IdP', $state));
623 assert(array_key_exists('saml:logout:NameID', $state));
624 assert(array_key_exists('saml:logout:SessionIndex', $state));
625
627
628 $idp = $state['saml:logout:IdP'];
629 $nameId = $state['saml:logout:NameID'];
630 $sessionIndex = $state['saml:logout:SessionIndex'];
631
633
634 $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
635 \SAML2\Constants::BINDING_HTTP_REDIRECT,
636 \SAML2\Constants::BINDING_HTTP_POST), false);
637 if ($endpoint === false) {
638 SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, true) . '.');
639 return;
640 }
641
643 $lr->setNameId($nameId);
644 $lr->setSessionIndex($sessionIndex);
645 $lr->setRelayState($id);
646 $lr->setDestination($endpoint['Location']);
647
648 $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', null);
649 if ($encryptNameId === null) {
650 $encryptNameId = $this->metadata->getBoolean('nameid.encryption', false);
651 }
652 if ($encryptNameId) {
654 }
655
656 $b = \SAML2\Binding::getBinding($endpoint['Binding']);
657 $b->send($lr);
658
659 assert(false);
660 }
$endpoint
static getBinding($urn)
Retrieve a binding with the given URN.
Definition: Binding.php:28
static info($string)
Definition: Logger.php:199
static buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
Build a logout request based on information in the metadata.
Definition: Message.php:536
static getEncryptionKey(SimpleSAML_Configuration $metadata)
Retrieve the encryption key for the given entity.
Definition: Message.php:865
$nameId
Definition: saml2-acs.php:138
$sessionIndex
Definition: saml2-acs.php:139
$lr
$encryptNameId

References $encryptNameId, $endpoint, $id, $idp, $idpMetadata, $lr, $nameId, $sessionIndex, $state, sspmod_saml_Message\buildLogoutRequest(), SAML2\Binding\getBinding(), sspmod_saml_Message\getEncryptionKey(), getIdPMetadata(), SimpleSAML\Logger\info(), and SimpleSAML_Auth_State\saveState().

Referenced by logout().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO()

sspmod_saml_Auth_Source_SP::startSSO (   $idp,
array  $state 
)

Send a SSO request to an IdP.

Parameters
string$idpThe entity ID of the IdP.
array$stateThe state array for the current authentication.

Definition at line 325 of file SP.php.

326 {
327 assert(is_string($idp));
328
330
331 $type = $idpMetadata->getString('metadata-set');
332 switch ($type) {
333 case 'shib13-idp-remote':
335 assert(false); /* Should not return. */
336 case 'saml20-idp-remote':
338 assert(false); /* Should not return. */
339 default:
340 /* Should only be one of the known types. */
341 assert(false);
342 }
343 }
startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML2 SSO request to an IdP.
Definition: SP.php:177
startSSO1(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML1 SSO request to an IdP.
Definition: SP.php:141
$type

References $idp, $idpMetadata, $type, getIdPMetadata(), startSSO1(), and startSSO2().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO1()

sspmod_saml_Auth_Source_SP::startSSO1 ( SimpleSAML_Configuration  $idpMetadata,
array  $state 
)
private

Send a SAML1 SSO request to an IdP.

Parameters
SimpleSAML_Configuration$idpMetadataThe metadata of the IdP.
array$stateThe state array for the current authentication.

Definition at line 141 of file SP.php.

142 {
143 $idpEntityId = $idpMetadata->getString('entityid');
144
145 $state['saml:idp'] = $idpEntityId;
146
147 $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
148 $ar->setIssuer($this->entityId);
149
151 $ar->setRelayState($id);
152
153 $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', null);
154 if ($useArtifact === null) {
155 $useArtifact = $this->metadata->getBoolean('saml1.useartifact', false);
156 }
157
158 if ($useArtifact) {
159 $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
160 } else {
161 $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
162 }
163
164 $url = $ar->createRedirect($idpEntityId, $shire);
165
166 SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, true) .
167 ' from ' . var_export($this->entityId, true) . '.');
169 }

References $id, $idpEntityId, $idpMetadata, $state, $url, SimpleSAML\Logger\debug(), SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO2()

sspmod_saml_Auth_Source_SP::startSSO2 ( SimpleSAML_Configuration  $idpMetadata,
array  $state 
)
private

Send a SAML2 SSO request to an IdP.

Parameters
SimpleSAML_Configuration$idpMetadataThe metadata of the IdP.
array$stateThe state array for the current authentication.

Definition at line 177 of file SP.php.

178 {
179 if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
181 $state,
182 new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
183 );
184 }
185
187
188 // ilias-patch: begin
189 // see: https://bugs.launchpad.net/mahara/+bug/1689685
190 // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
191 //$ar->setAssertionConsumerServiceURL(SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
192 $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
193 // ilias-patch: end
194
195 if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
196 $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
197 }
198
199 if (isset($state['saml:AuthnContextClassRef'])) {
200 $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
202 if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
203 SAML2\Constants::COMPARISON_EXACT,
204 SAML2\Constants::COMPARISON_MINIMUM,
205 SAML2\Constants::COMPARISON_MAXIMUM,
206 SAML2\Constants::COMPARISON_BETTER,
207 ), true)) {
208 $comp = $state['saml:AuthnContextComparison'];
209 }
210 $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
211 }
212
213 if (isset($state['ForceAuthn'])) {
214 $ar->setForceAuthn((bool)$state['ForceAuthn']);
215 }
216
217 if (isset($state['isPassive'])) {
218 $ar->setIsPassive((bool)$state['isPassive']);
219 }
220
221 if (isset($state['saml:NameID'])) {
222 if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
223 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
224 }
225 $ar->setNameId($state['saml:NameID']);
226 }
227
228 if (isset($state['saml:NameIDPolicy'])) {
229 if (is_string($state['saml:NameIDPolicy'])) {
230 $policy = array(
231 'Format' => (string)$state['saml:NameIDPolicy'],
232 'AllowCreate' => true,
233 );
234 } elseif (is_array($state['saml:NameIDPolicy'])) {
235 $policy = $state['saml:NameIDPolicy'];
236 } else {
237 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
238 }
239 $ar->setNameIdPolicy($policy);
240 }
241
242 if (isset($state['saml:IDPList'])) {
243 $IDPList = $state['saml:IDPList'];
244 } else {
245 $IDPList = array();
246 }
247
248 $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()),
249 $idpMetadata->getArray('IDPList', array()),
250 (array) $IDPList)));
251
252 if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
253 $ar->setProxyCount($state['saml:ProxyCount']);
254 } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
255 $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
256 } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
257 $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
258 }
259
260 $requesterID = array();
261 if (isset($state['saml:RequesterID'])) {
262 $requesterID = $state['saml:RequesterID'];
263 }
264
265 if (isset($state['core:SP'])) {
266 $requesterID[] = $state['core:SP'];
267 }
268
269 $ar->setRequesterID($requesterID);
270
271 if (isset($state['saml:Extensions'])) {
272 $ar->setExtensions($state['saml:Extensions']);
273 }
274
275 // save IdP entity ID as part of the state
276 $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
277
278 $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', true);
279 $ar->setId($id);
280
281 SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' .
282 var_export($idpMetadata->getString('entityid'), true));
283
284 /* Select appropriate SSO endpoint */
285 if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
286 $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
287 \SAML2\Constants::BINDING_HOK_SSO)
288 );
289 } else {
290 $dst = $idpMetadata->getEndpointPrioritizedByBinding('SingleSignOnService', [
291 \SAML2\Constants::BINDING_HTTP_REDIRECT,
292 \SAML2\Constants::BINDING_HTTP_POST,
293 ]);
294 }
295 $ar->setDestination($dst['Location']);
296
297 $b = \SAML2\Binding::getBinding($dst['Binding']);
298
299 $this->sendSAML2AuthnRequest($state, $b, $ar);
300
301 assert(false);
302 }
const COMPARISON_EXACT
Request Authentication Context Comparison indicating that the resulting authentication context in the...
Definition: Constants.php:83
static arrayize($data, $index=0)
Put a non-array variable into an array.
Definition: Arrays.php:24
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
Definition: State.php:343
sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
Function to actually send the authentication request.
Definition: SP.php:313
static buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
Build an authentication request based on information in the metadata.
Definition: Message.php:466
$dst

References $dst, $id, $idpMetadata, $state, SimpleSAML\Utils\Arrays\arrayize(), sspmod_saml_Message\buildAuthnRequest(), SAML2\Constants\COMPARISON_EXACT, SimpleSAML\Logger\debug(), SAML2\Binding\getBinding(), SimpleSAML_Auth_State\saveState(), sendSAML2AuthnRequest(), and SimpleSAML_Auth_State\throwException().

Referenced by startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $discoURL

sspmod_saml_Auth_Source_SP::$discoURL
private

Definition at line 31 of file SP.php.

Referenced by startDisco().

◆ $entityId

sspmod_saml_Auth_Source_SP::$entityId
private

Definition at line 10 of file SP.php.

Referenced by getEntityId(), and getIdPMetadata().

◆ $idp

sspmod_saml_Auth_Source_SP::$idp
private

◆ $metadata

sspmod_saml_Auth_Source_SP::$metadata
private

Definition at line 17 of file SP.php.

Referenced by getMetadata().


The documentation for this class was generated from the following file: